Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

June 2022

rusted SBOMs delivered with the JFrog Platform and Azure

Jun 29, 2022 By JFrog In JFrog
SBOMs provide essential visibility into all the components that make up a piece of software and detail how it was put together. With an SBOM in hand it’s possible to determine if software contains existing security and compliance issues or is impacted by newly discovered vulnerabilities. The SBOM is imperative due to the White House’s cybersecurity executive order from May 2021 requiring them for all government software purchases and many private organizations following suit.
View Video
jfrog

CVE-2022-30522 - Denial of Service (DoS) Vulnerability in Apache httpd "mod_sed" filter

Jun 28, 2022 By Brian Moussalli In JFrog

This past March we posted an analysis of a vulnerability in the Apache HTTP Server mod_sed filter module, CVE-2022-23943, in which a Denial of Service (DoS) can be triggered due to a miscalculation of buffers’ sizes. While analyzing this Apache httpd vulnerability and its patch, we suspected that although the fix resolved the issue, it created a new unwanted behavior. Our suspicion turned out to be true: we discovered that another way to cause a DoS was introduced.

Read Post
jfrog

CVE-2022-25845 - Analyzing the Fastjson "Auto Type Bypass" RCE vulnerability

Jun 14, 2022 By Uriya Yavnieli In JFrog

A few weeks ago, a new version for Fastjson was released (1.2.83) which contains a fix for a security vulnerability that allegedly allows an attacker to execute code on a remote machine. According to several publications, this vulnerability allows an attacker to bypass the “AutoTypeCheck” mechanism in Fastjson and achieve remote code execution. This Fastjson vulnerability only recently received a CVE identifier – CVE-2022-25845, and a high CVSS – 8.1.

Read Post
jfrog

Denial of Service Vulnerability in Envoy Proxy - CVE-2022-29225

Jun 9, 2022 By Ori Hollander In JFrog

The JFrog Security Research team is constantly looking for new and previously unknown software vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered a denial of service (DoS) vulnerability in Envoy Proxy, a widely used open-source edge and service proxy server, designed for cloud-native applications and high traffic websites.

Read Post

Software Supply Chain Security for Open Source Projects

Jun 2, 2022 By JFrog In JFrog
Attacks on the open-source value chain (OS supply chain) are becoming more sophisticated, and we, as software developers, are becoming the focus of these attacks. So what are the essential first steps, and what should you focus on? This raises the question of suitable methods and tools. At the same time, the company's strategic orientation must be considered in this security strategy. In the recent past, we have also learned that attacks are increasingly targeting individual infrastructure elements of software development, such as the classic CI/CD pipeline.
View Video

Software Supply Chain Security for Open Source Projects - it's time to prepare!

Jun 2, 2022 By JFrog In JFrog
Attacks on the open-source value chain (OS supply chain) are becoming more sophisticated, and we, as software developers, are becoming the focus of these attacks. So what are the essential first steps, and what should you focus on? This raises the question of suitable methods and tools. At the same time, the company's strategic orientation must be considered in this security strategy. In the recent past, we have also learned that attacks are increasingly targeting individual infrastructure elements of software development, such as the classic CI/CD pipeline.
View Video

Copyright © 2024 OpsMatters™. All rights reserved.